Dumping NAND flash - jvandewiel/no-alexa GitHub Wiki
Dumping the NAND flash via RPi GPIO and FT2232H bit-banging
These are the attempts to get a dump of the firmware/software from the nand chip. The nand wasremoved from the PCB and made accessible by soldering a couple of wires to the chip. 2 pieces of software have been used, a heavily modified [c stuff] and a modified (slowed down) [dumpflash]. The resulting file appears to be consistent, but is scrambled, most likely using an LFSR to render the data pseudo random. Attempts to expose the underlying data using naive ways of de-scrambling the data have failed.
NAND information
The nand chip is the Macronix MX30LF4G28AD (PDF datasheet).
Characteristics
| Characteristics | |
|---|---|
| Total size (4G chip) | 4.294.967.296 |
| Page size | 4.096 |
| OOB size | 256 |
| Raw page | 4.352 |
| Total number of pages | 1.048.576 |
| Pages per block | 64 |
| Blocksize (erase) | 262.144 |
| Num blocks | 16.384 |
| Total sectors | 130.560 |
| Last LBA (from UART) | 131.071 |
| Sector size (bytes) | 32.768 |
| Sector size (pages) | 8 |
| GPT blocks | |
|---|---|
| Last "block" | 131072 |
| Bytes per "block" | 32768 |
| Pages per "block" | 8 |
From the UART logs, we can get the partition table information
[1824] part name:brhgptpl_0, part type:raw_data, size:0x40000
[1825] part name:reserve0, part type:raw_data, size:0xc0000
[1826] part name:lk_a, part type:raw_data, size:0x180000
[1826] part name:lk_b, part type:raw_data, size:0x180000
[1827] part name:brhgptpl_1, part type:raw_data, size:0x40000
[1828] part name:reserve1, part type:raw_data, size:0x1c0000
[1828] part name:idme_nand, part type:raw_data, size:0x200000
[1829] part name:brhgptpl_2, part type:raw_data, size:0x40000
[1830] part name:reserve2, part type:raw_data, size:0x1c0000
[1830] part name:misc, part type:raw_data, size:0x200000
[1831] part name:brhgptpl_3, part type:raw_data, size:0x40000
[1832] part name:reserve3, part type:raw_data, size:0x1c0000
[1832] part name:tee1, part type:raw_data, size:0x500000
[1833] part name:boot_a, part type:raw_data, size:0xf40000
[1834] part name:tee2, part type:raw_data, size:0x500000
[1834] part name:boot_b, part type:raw_data, size:0xf40000
[1835] part name:persist, part type:raw_data, size:0x800000
[1836] part name:userdata, part type:raw_data, size:0x1bf80000
Comparing the dumps for each of these, the following are identical (md5 hash)
- brhgptpl_0, brhgptpl_1, brhgptpl_2, brhgptpl_3
- reserve0, reserve1, reserve2, reserve3 (all empty)
- lk_a, lk_b
- tee1, tee2
- boot_a, boot_b
The others were not (idme_nand, misc, persist, userdata)
Hardware for reading dumping
The NAND was desoldered and glued to a small TSSOP-20 board, then thin wires soldered to the exposed points. These were connected to the GPIO ports on a RPi B to retrieve the data and additionaly to a FT2232H board since the RPi was very very slow.
2 attempts to the retrieve the data on the NAND.
RPi GPIO
Setup
The RPi (version B) PGIO pins were connected as below.
Code
See repo and be warned that this is not done by a C coder.
Results
Fairly consistent dumps for e.g the first pages, but also "encoded", and extremely slow, ~500 mb/24hrs. No further action taken.
FT2232H
Setup
[pic]
Code
Modified version of dumpflash, see repo.